Publication

SEC Issues Risk Alert on Cybersecurity Initiative for Investment Advisers

April 24, 2014

On April 15, 2014, the Office of Compliance Inspections and Examinations of the Securities and Exchange Commission (the “SEC”) issued a Risk Alert regarding the SEC’s initiative to assess cybersecurity preparedness and threats in the securities industry, including examinations of more than 50 SEC-registered investment advisers and broker-dealers.

The full text of the Risk Alert is available here.

SEC-registered investment advisers should review the Risk Alert, assess their current level of preparedness for cybersecurity threats, and consider whether any changes need to be made to their current cybersecurity policies and procedures. The Risk Alert includes an appendix containing 28 sample information requests that the SEC may send to investment advisers as part of the SEC’s cybersecurity initiative.

In summary, the sample information requests in the Risk Alert appendix cover the following topics:

cybersecurity governance, including the firm’s written information security policies, business continuity plan, and the identity of the firm’s Chief Information Security Officer;
identification and assessment of cybersecurity risks, including the month, year, and frequency with which physical devices, software platforms, and networks are inventoried at the firm and detailed information regarding the firm’s periodic risk assessments;
protection of networks and information, including whether the firm relies on any published cybersecurity risk management process standards and the practices and controls the firm utilizes to protect its networks;
risks associated with remote customer access and funds transfer requests;
risks associated with vendors and other third parties, including the policies and procedures the firm uses to assess cybersecurity risks of vendors and other third parties;
detection of unauthorized activity; and
experiences with certain cybersecurity threats.

The sample information requests in the Risk Alert also address compliance with the Identity Theft Red Flag Rules, which came into effect in 2013. For a summary of the Identity Theft Red Flags Rules, see our May 28, 2013 Foley Adviser.

We use cookies to enhance user experience, improve functionality and performance, and for analysis of website traffic. By clicking “accept”, you agree to the use of cookies. For more information about our cookie policy and the information we collect, please review our Privacy Statement.

Foley Hoag

Email Disclaimer

Transmitting information to us by e-mail unilaterally does not establish an attorney-client relationship or impose an obligation on either the law firm or even the receiving lawyer to keep the transmitted information confidential. By clicking "OK," you acknowledge that we have no obligation to maintain the confidentiality of any information you submit to us unless we already represent you or unless we have agreed to receive limited confidential material/information from you as a prospective client. Thus, if you are not a client or someone we have agreed to consider as a prospective client, information you submit to us by e-mail may be disclosed to others or used against you.

If you would like to discuss becoming a client, please contact one of our attorneys to arrange for a meeting or telephone conference. If you wish to disclose confidential information to a lawyer in the firm before an attorney-client relationship is established, the protections that the law firm will provide to such information from a prospective client should be discussed before such information is submitted. Thank you for your interest in Foley Hoag.

Publication

SEC Issues Risk Alert on Cybersecurity Initiative for Investment Advisers

Share

Key Contacts

Catherine M. Anderson

Jennifer M. Macarchuk

Related Practices & Industries

Stay Up to Date